It is an authentication process where two of three recognized factors are used to identify a user:

Something you know - usually a password, passcode, passphrase or PIN.

Something you have - a cryptographic smartcard or token, a chip enabled bank card or an RSA SecurID-style token with rotating digits

Something you are - fingerprints, iris patterns, voice prints, or similar

Two-factor authentication works by demanding that two of these three factors be correctly entered before granting access to a system or website.

So if someone manages to get hold of your password (something you know), they still will not be able to access your account unless they can provide one of the other two factors (something you have or something you are).

For example, at Sophos we use secure tokens with rotating six-digit codes to remotely access internal systems. Every time I want to establish a VPN session, I need to provide my username, a password and the six digit code appended to a PIN.

At home I use similar methods to access many online and personal resources. In the last year, many social media sites, including Facebook, Twitter and LinkedIn, have all added some sort of two-factor authentication.

Many of these sites employ SMS code verification. This is where, in addition to correctly entering your password (something you know), you must also correctly enter a numeric passcode sent to your mobile phone via SMS (something you have).

The availability of mobile network service and the unreliable nature of SMS can make this difficult, however.

Some services allow you to use an authenticator app in addition to your password which present you with a different numeric one-time password (OTP) for each service that you register with the app. Both Google and Windows make these apps freely available in their respective stores.

Authenticator apps can be great for signing into sites like Google, Facebook and Twitter even when your phone does not have service (mobile or otherwise). As a matter of fact, I used this very method to log into to WordPress in order to publish this article.

Google's authenticator app can also be used to provide additional security with Secure Shell (SSH) connections.

Things can still go wrong though. There is Android malware in the wild that is specifically designed to steal your SMS verification codes in an attempt to thwart 2FA. This is one reason why a good Android security app, like Sophos Antivirus and Security, is a must.

So, should you use two-factor authentication?

In my opinion, the answer is an emphatic YES! Two-factor authentication is not a silver bullet but it does dramatically increase your security by making it much harder for your accounts to be compromised.

Unfortunately, two-factor authentication is not available everywhere but it is used by many of the most popular sites and services on the internet. Hopefully the ease of use and increased security provided by two-factor authentication will compel the rest to follow suit.

14 Responses to Security essentials: What is two-factor authentication?

If you use as a second factor the very same device where the one-time-password will be used, that's not two-factor authentication. Even Google calls their system (which is actually an open standard, not Google's) "two step authentication."__For example, if I'm using a computer that's compromised, and yet receive an SMS message or run soft-token software on that *same* system, that's not really an independent factor.__Soft tokens are never, ever, as secure as independent hard tokens.

Soft tokens (I mean tokens stored on the relevant computer) are sometimes more secure than independent hard tokens, as was seen in the RSA breach - people with the hard tokens suffered, and many of them switched to soft tokens. If you have a soft token on the computer, only that computer can gain access. If you have an independent hard token, it can (potentially) be used to access from any computer.

there is also "someWHERE you are" - proximity detection like a specific wifi access point, gps data (not 100% reliable, but better than nothing) or just the good old "you have to be at one of the terminals in this room" :)

Thanks for the information about Google’s authenticator; very useful. When I use my mobile phone (rarely), I use it as an actual phone (gasp!). It would be more than merely inconvenient to use SMS for two-factor authentication; I'm fiercely protective of my mobile phone number, and the last thing I want to do is give it to Google, let alone an intrusive operation like Facebag.

An authenticator app is a great solution. Hopefully more websites will add two factor authentication that is responsive to such solutions, rather than just assuming that everyone wants their Internet activity to be tethered to a mobile phone.

Sorry, I can't agree that Two Factor Authentication means any two of the three cliches What You Know / Have / Are. I reckon the idea and the terminology of 2FA has been bastardised over the years.
2FA used to entail -- and still should -- a physical gadget, mainly because you can tell quickly if it's been compromised. One of the deep deep problems with biometrics is that you cannot immediately tell when a trait has been stolen or replicated. Ironically, in this regard, biometrics is very much like passwords.
[The language "something you are" is actually terribly misleading; it hides the reality that in principle any trait can be replicated. Lay people he this optimism from sci-fi movies that biometrics are an infallible scan of the real you. But they're just automated fallible finite observations. So they're not "what you are" at all, but "what you look like / sound like / seem to be like".]
Frankly, it's sad that we're getting less disciplined in the way we use the term 2FA while we continue to mess about with stop-gap security. We wouldn't be in such strife if we bit the bullet and deployed natural-to-use cryptographic hardware keys. We nearly did it when Microsoft standardised on smartcards in 2003 but we chickened out. Funny to think that the banking and credit industries settled in the 1970s on a standard intuitive plastic card, and then upgraded to chip cards in the 2000's. Where would we be today if Visa and Mastercard were as "technology neutral" (i.e. technologically pathetic) as the computer security industry?

If I were to be cynical, I might say that the "bastardisation" that has insisted 2FA is something you know and something you have (the physical gadget) was promoted by the companies that just happen to "something you have" to sell you - token vendors :-)

To me, good 2FA ought to include a factor that is physically separate from the other (e.g. token, mobile phone), and a one-time password, but that's an additional issue over and above the "2" in "2FA." (That rules out biometrics for me. "I know. Let's capture a password you can never, ever change. And then lose it.")

By the way, I was very recently issued a bank card that I can use online, to buy almost anything I want, based entirely on three things I know - a 16-digit number, a second 4-digit number, and a final 3-digit number, viz: card number, expiry date and CVV code.

Because 23 digits are a lot to remember, they're handily printed on the card, just to help any crook who steals my card to know the "secret" numbers too.

So, to answer "where would be be today" with VISA and Mastercard - that's where.

Yes. I should have ring-fenced my admiration of the card companies! They did a great standardising the plastic card authentication form factor for card present, but then they lost the plot on the Internet. You're right Paul, why do we pretend to have three different numbers? Why not go to 23 digit PANs? Having to enter the CVV into a web site is the brain-deadest security measure anyone has ever come up with. Or was it? Idea for a competition right there!

The CVV for online transactions is not entirely pointless, since the digits are on the card but not on the magstripe, so unattended skimmers (e.g. at ATMs) don't get it, and dodgy waiters/sales staff in a restuarant shop have an added hurdle - needing to remember the CVV for each card they've run through their mobile skimmer. Unless they just photograph the card instead :;-)

PCI-DSS is stricter for CVVs, too. You may not retain it after the transaction, not even encrypted, IIRC.

Most of the sites which employ SMS code verification are actually NOT something you need to have. Because they use a well known algorithm (rfc6238) to generate the verification code, and this algorithm is based on a PERMANENT secret value linked to the user (this same secret is used by Google's authenticator app). So ANYBODY who knows or steals this secret value can generate the verification code and DOESN’T NEED your mobile. So this is definitely something you need to KNOW.

Ironically, in fact you receive the SMS code verification because you don't know this secret (but the site knows it, and maybe someone else… ?)

But I agreed that it’s anyway much much better than a simple login/password.

I am generally security conscious and use a password manager to ensure complex and different passwords for the sites that I use. I should like to use 2FA, but don't have a mobile phone and have no desire to spend the money on one. Fortunately,both the banks I use provide hardware devices for log-in. Unfortunately, my partner's bank insists on the use of a phone and so she can only do online banking when at home. Have we now got the state where one has to have a mobile phone (which is easily lost / stolen) for security?

About the author

John Shier is a Senior Security Expert at Sophos. John is a popular presenter at security events, and is well-known for the clarity of his advice, even on the most complex security topics. John doesn't just talk the talk: he also gives hands-on technical support and product education to Sophos partners and customers.